This piece was originally published by APC member organisation EngageMedia.
This article is part of Pandemic of Control, a series of articles that aims to further public discourse on the rise of digital authoritarianism in the Asia-Pacific amid COVID-19. Pandemic of Control is an initiative by EngageMedia, in partnership with CommonEdge. Read more about the series here, and about the contributing writer at the end of this piece.
As the COVID-19 pandemic continues in Indonesia, the government’s PeduliLindungi application remains an integral part of daily life. Named by merging the Indonesian words for “care” (peduli) and “protect” (lindungi), the app claims to do just that, tracking and screening COVID-19 statuses, and providing resources and information on COVID-19. Its existence has become synonymous with and inseparable from the pandemic itself, and people’s reliance on the information, access, and resources it offers to protect themselves from COVID-19 comes at the risk of trading off one’s rights to data privacy.
As of writing, over 50 million people have downloaded the app from the Google Play Store, making it the top medical app in the country. But as more and more users register and use the app, the severity of concerns regarding the app’s security and extensive tracking have also increased.
In September 2021, Indonesian President Joko Widodo’s vaccine certificate was leaked online. The incident came just a month after the suspected breach of the Indonesia Electronic Health Alert Card (eHAC) app, which compromised the data of 1.3 million users. The leaks have since triggered public discourse on data security and the amount of personal information collected and stored by PeduliLindungi.
Following the breaches, the Indonesian government has since claimed that the app has secured the data of all users, a response not unlike previous reassurances it has given, after similar breaches in the past. PeduliLindungi thus potentially poses a bigger threat due to its frequency of usage, amount of users, and unique type of information stored, all while leaving Indonesians with little to no legal recourse to protect their data.
A daily ritual: How PeduliLindungi controls average Indonesians’ freedom of movement
While the app’s usage varies between regions, there is no other government platform that reaches the scale and scope of PeduliLindungi. The main app’s interface has also been integrated into 15 other consumer-oriented apps, and there are even plans to turn the app into a digital wallet.
To enter any public place in Indonesia, one must first scan the location’s required QR code through PeduliLindungi or any other app interconnected with PeduliLindungi, such as Jakarta’s regional app JAKI and the Indonesian startup giant GOJEK. The collected information – such as the user’s legal name, ID number, susceptibility to catching COVID-19, current location, and time spent within the facility – are then logged and stored on PeduliLindungi servers. Previous versions of the app had made that information available for users to see under the option “Check-in History”. Those who have not formally registered for PeduliLindungi or the other interconnected apps are allowed to enter public space only if they show valid vaccine certificates, which are also hosted by PeduliLindungi and must be accessed through its portals.
When an Indonesian is not formally part of the PeduliLindungi system, there are a number of challenges and hurdles disturbing their daily routines. For example, if one is not able to get a ticket to get vaccinated – whether it is their choice or vaccine unavailability – one will not be allowed to freely use and enter bus stops, train stations, markets, hospitals, office buildings, and other public spaces. The unvaccinated have even reported difficulties in getting treatment from medical facilities, which rely on the PeduliLindungi database to access one’s COVID-19 status.
Using the app is now not only necessary, but socially mandatory in order to keep one’s freedom of movement. Such measures were argued as justified to curb the spread of COVID-19, despite questions regarding their ability to do so. However, it must be stressed that the government should not only rely on PeduliLindungi to decide who is eligible to access basic needs and public services afforded to the Indonesian public, regardless of people’s ability to be vaccinated, get tested for COVID-19, and more.
How secure is the data?
There are also numerous unanswered questions surrounding the digital security of PeduliLindungi. While no classified information stored online can ever be completely secure, the Indonesian government has yet to take adequate action to ensure the security of its various databases.
When the eHAC database was leaked in 2021, the government chose to deflect and stress that only the “old, separate eHAC” was compromised. It also did not elaborate on the steps it had taken to secure both versions of eHAC and their interconnected servers (which includes the servers used by PeduliLindungi). In the end, the government simply asked citizens to delete the old eHAC app on their phones.
PeduliLindungi does not escape this lack of accountability. For one, the President’s leaked vaccine certificate only showed how easy it was to obtain any certificate – even those not your own. Accessing these on the app requires only a full name, ID number, date of birth, and date and type of vaccination – information that can easily be found on social media or even through carelessly discarded paper documents.
In the President’s case, investigators found that his information was obtained through PCare, a separate application by the Ministry of Health and which is used by healthcare providers to upload a user’s vaccination data to PeduliLindungi servers. The connection between both applications remains unclear.
The issue only compounds with the interconnectivity of PeduliLindungi with other third-party applications. For example, the app is connected to Google and other third-party software providers that track users’ locations when entering and exiting public spaces, and when using public transportation. A previous version of the PeduliLindungi mobile app allegedly contained anomalies, including manual data storage within the application and sending said data to an external, non-Indonesian website. The app had also in the past sent users’ names and kinds of devices to a subsidiary of PT Telkom, Indonesia’s state-run telecommunication company with servers in Singapore.
But despite evidence that third-party applications may have led to data breaches on other government apps, PeduliLindungi’s latest privacy policy maintains a no-liability clause for “violations or unauthorized access”, which include how third parties use PeduliLindungi’s data. The app also claims no liability for damaging results emerging from its system’s failure and disturbances.
Lack of protection, regulation, and accountability continues on
Despite large numbers of infections, the public continues to debate whether the monitoring and tracking done by PeduliLindungi are necessary to curb the spread of COVID-19. Regardless of which side of the debate you are on, the Indonesian government’s responses to past data breaches and other concerning events fail to address the root of the problem: the security of the PeduliLindungi servers and the data privacy of its users.
The government never published the results of PeduliLindungi’s initial security audit, which would have informed the public of the safety and security of the app before its implementation. There have been no updates of an additional audit performed after the supposed leak of the President’s certificate.
PeduliLindungi is also still not registered under the government’s own Electronic System Organizers – a requirement for public servers as per regulation.
The Indonesia Internet Governance Forum (ID-IGF)’s advice regarding improvements that may be made to guarantee the safety and privacy of the app has also been largely unheeded, despite the fact that it was directly communicated towards one of the app’s stakeholders on national television.
The citizens are once again bearing the brunt of this lack of protection, regulation, and accountability. Indonesians sacrificed their freedom of movement and privacy, and entrusted their data to the government, under the premise that doing so will prevent the further spread of the virus and pave the way towards the end of the pandemic.
Worse, Indonesia currently has no specified legislation concerning the protection of data privacy. While there are provisions regulating consent to individual data usage, they are scattered around various levels of law.
The Legislation Concerning Electronic Information and Transaction, for example, regulated the consent that must be acquired from users for the usage of personal data obtained from electronic media. It further stated that should a court rule that the data used has been deemed improper and is causing damage, then the electronic media hosting the data shall promptly delete the information. There are no discussions concerning the consequences of the electronic media for improper utilisation of personal data, nor is there specific regulation on reparations for the damages induced by the improper usage. The currently existing Ministry Regulation concerning Protection of Private Data under Electronic System exists more like a guideline that contains no punitive or consequential clauses for those who breach the rule’s terms. While there is a draft for Personal Data Protection Laws, it is still stuck for deliberation under the House of Representatives, and few improvements have been made so far.
As PeduliLindungi and the government continue to fumble in its operations, and as these concerns are brushed under the rug, one needs to ask: Is PeduliLindungi really caring for and protecting the Indonesian public?